Deprecation of Certificate Tools in Exchange Admin Center GUI

I have been trying to install a new certificate for a few days now on Exchange CU12. I have still not had full success. I was able to get it installed on the initial server where I had to generate a new CSR from PowerShell. I could no longer use the GUI for the Certificate Wizard. Those have been completely removed in CU12 per the following article.

I was able to install the certificate and export it properly after much digging and PowerShell Hell. The post for the process is here. It should help when installing a new certificate onto your Exchange Server.


Changes in Exchange Server PowerShell cmdlets and Exchange Admin Center for UNC path inputs (KB5014278)

Exchange Server 2019 Exchange Server 2016

To prevent misuse of UNC paths by attackers, we are removing parameters that take UNC paths as inputs from the Exchange Server PowerShell cmdlets and the Exchange Admin Center. These changes will affect all cumulative update (CU) releases of Microsoft Exchange Server 2019 (CU12 and later) and Microsoft Exchange Server 2016 (CU23 and later). 

These changes are available in the following latest Exchange Server updates:

Cumulative Update 12 for Exchange Server 2019 or a later cumulative update for Exchange Server 2019

Cumulative Update 23 for Exchange Server 2016 or a later cumulative update for Exchange Server 2016

Changes in Exchange Server cmdlets

Get-AgentTrafficTypeSubscription 

  • TransportService <service>
  • Server <server UNC path>

Change: The parameter Server that takes the UNC path as input is removed from the cmdlet. This restricts usage to the local server on which the cmdlet is run. 

Import-ExchangeCertificate 

  • FileName “<local/UNC path>”
  • Password <password>

Change: The FileName parameter that takes the UNC path as input is removed from the cmdlet. To import the certificate that’s stored in another UNC path, you must use the FileData parameter, as shown in following example:

Import-ExchangeCertificate

  • FileData ([Byte[]]$(Get-Content -Path “<local or UNC path>” -Encoding byte))
  • Password <password>

Export-ExchangeCertificate 

  • Thumbprint <thumbprint>
  • FileName “<local/UNC path>”
  • BinaryEncoded
  • Password <password>

Change: The FileName parameter that takes the UNC path as input is removed from the cmdlet. To export the certificate to a UNC path, you must use the FileData parameter, as shown in the following example: 

  • $cert = Export-ExchangeCertificate
    • Thumbprint <thumbprint>
    • Password <password>
    • BinaryEncoded
  • Set-Content -Path “<local or UNC path>” -Value $cert.FileData -Encoding byte

New-ExchangeCertificate 

  • GenerateRequest
  • RequestFile “<local/UNC path>”
  • SubjectName “<subject>”
  • DomainName <domains>

Change: The RequestFile parameter that takes the UNC path as input is removed from the cmdlet. To export the request file to a UNC path, you must use the Set-Content cmdlet, as shown in the following example. 

  • $request = New-ExchangeCertificate
    • GenerateRequest
    • SubjectName “<subject>”
    • DomainName <domains>
  • Set-Content -Path “<local or UNC path>” -Value $request

Get-CalendarDiagnosticLog 

  • Identity “Jasen Kozma”
  • Subject “Budget Meeting”
  • ExactMatch $true
  • LogLocation “C:\My Documents\Calendar Diagnostic Export”

Change: The LogLocation parameter that takes the UNC path as input is removed from the cmdlet. This restricts the usage to the local server on which the cmdlet is run.  

Get-CalendarDiagnosticAnalysis 

  • LogLocation “C:\My Documents\Calendar Diagnostic Export”
  • OutputAs HTML

| Set-Content -Path <local/UNC path> 

Change: The LogLocation parameter that takes the UNC path as input is removed from the cmdlet. You must provide Calendar Diagnostic logs through the CalendarLogs parameter, as shown in the following example:

$calitems = Get-CalendarDiagnosticLog -Identity <mailbox user> -Subject “Budget Meeting” 

Get-CalendarDiagnosticAnalysis  

  • CalendarLogs $calitems
  • OutputAs HTML

| Set-Content -Path <local/UNC path> 

Exchange Admin Center changes 

Remove UNC path input for storing Virtual Directory settings during reset 

When you reset a virtual directory, the Exchange Control Panel (ECP) asks for a UNC path that it can copy the current settings to. This process is changed. ECP will no longer allow any UNC path input here.

Screenshot of Office 365 Exchange Admin Center window

Instead, ECP will ask for the file name to export the settings from the user. This information will be stored in the ../V15/Config/Backup folder on the server through which ECP is accessed. If the folder doesn’t exist, it will be created by ECP.

Screenshot of Office 365 Exchange Admin Center window

Removal of Import & Export Exchange Certificate

In the previous versions of Exchange Server, there was an option to import or export the Exchange certificate through ECP.

Screenshot of Office 365 Exchange Admin Center window

This option is removed. You must now use a PowerShell cmdlet to import or export the Exchange certificate.

Screenshot of Office 365 Exchange Admin Center window

Removal of Complete Exchange Certificate Request

In previous versions of Exchange Server, there was an option to complete the Exchange certificate by using ECP. This prompted admins to provide UNC path input.

Screenshot of Office 365 Exchange Admin Center window

This option is removed from ECP. You must now use a PowerShell cmdlet to do this.

Screenshot of Office 365 Exchange Admin Center window

Removal of New Exchange Certificate Request from CA

In previous version of Exchange Server, there was an option to request a new Exchange certificate from the certificate authority (CA) by using ECP. This prompted admins to provide UNC path input.

Screenshot of Office 365 Exchange Admin Center window

This option is removed from ECP. You must now use a PowerShell cmdlet to do this.

Screenshot of Office 365 Exchange Admin Center window

Removal of Renew Exchange Certificate Request

In Previous version of Exchange Server, there was an option to Renew Exchange Certificate Request using ECP which led to admins providing UNC path input.

Screenshot of Office 365 Exchange Admin Center window

This option is removed from ECP. You must now use a PowerShell cmdlet to do this.

Screenshot of Office 365 Exchange Admin Center window

CONTINUE TO FOLLOW ME AND FIND OUT THE WORKAROUND!

REFERENCES:
Changes in Exchange Server PowerShell cmdlets and Exchange Admin Center for UNC path inputs (KB5014278) (microsoft.com)

Get E-Mail Updates
I agree to have my personal information transfered to MailChimp ( more information )
Want to know when I post new content? Sign up here to get an email when I do post!
I despise spam. Your email address will not be sold or shared with anyone else.

One thought on “Deprecation of Certificate Tools in Exchange Admin Center GUI

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

css.php